iPhone and Android apps now required to have privacy policies

The makers of the most widely used mobile app stores have agreed to comply with a California law requiring mobile apps that collect personal information to have a privacy policy. California Attorney General Kamala Harris announced the agreement today with Apple and Google, which run the two most popular mobile app stores, as well as Amazon, HP, Microsoft, and Research In Motion.

"These platforms have agreed to privacy principles designed to bring the industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy," Harris's office said in a press release. "The majority of mobile apps sold today do not contain a privacy policy."

The agreement doesn't place restrictions on what types of data app makers may collect. But app makers must describe "how personal data is collected, used and shared," and make their privacy policies easily found by users. App store listings will contain either the text of the privacy policy or a link to the policy.

There have been several controversies over mobile app privacy, and one of the most recent centered on the social network Path accessing and uploading iPhone users' contact databases without permission. Harris noted that a Wall Street Journal report last year found "that 45 of the top 101 apps did not provide privacy policies either inside the application or on the application developer’s website," despite the fact that most of the mobile apps were transmitting a phone's unique device ID or location "to other companies without users' awareness or consent." Some apps were also transmitting the user's age, gender, and other personal details.

So is it that mobile apps must have a privacy policy, or mobile apps that collect personal information must have a privacy policy?

Hopefully all of the above. Almost every single app demands access to the internet and so forth... for what purpose? I want to know what every app I have tracks, traces, sends, and receives. It's actually quite ludicrous that to this point apps haven't had to tell us squat about what they're doing with our info.

I hope this legislation mandates that the privacy policies are in plain english and concise. Apps that take info they don't need can be uninstalled and downrated on the app stores, hopefully forcing makers to comply with the privacy demands of users.

I don't know about you guys, but I could care less what other people do with data they collect on me, as long as they don't use it to do something illegal (or sell it to someone who does something illegal with it). I would be OK with getting rid of privacy policies altogether and replace them with a page that declares that "We will not do stupid things."

While I agree that developers should disclose what information they collect and what they do with it, am I the only one worried about any sort of government involvement in app development? It starts with a privacy policy, then it moves on to Apple alerting you every time an app requests information from you (location, push notifications, soon contact info, etc). Remember how annoying Windows Vista's UAC feature was, and how we got so sick of clicking that "allow" button that we either just clicked it blindly without reading what it was doing, or turning off the feature all together. We gained zero benefit to that feature, and all it did was annoy us.

Same thing is starting to happen with apps. Privacy is important, but our obsession over it is going to drive us crazy and ultimately hurt us. Developers and users both start missing out on opportunities for innovation if they're hobbled by our constant obsession with privacy, and unless we strike a balance, no one will be happy.

I hope this legislation mandates that the privacy policies are in plain english and concise. Apps that take info they don't need can be uninstalled and downrated on the app stores, hopefully forcing makers to comply with the privacy demands of users.

From what I've noticed, most privacy policies are the very opposite of plain, concise English. I can't see why apps would be any different, or how they could even mandate that. What qualifies as "concise" to the court is very different than what qualifies to the average user.

Not that I think this will matter to average users anyway. It will just be another link in the app's description that nobody clicks on. All this means is that when apps do use your information for shady purposes, they will have a clear excuse, "It's right there in the privacy statement!", knowing that most people don't read them. Similar to how they use Terms of Use and License Agreements now.

While I agree that developers should disclose what information they collect and what they do with it, am I the only one worried about any sort of government involvement in app development? It starts with a privacy policy, then it moves on to Apple alerting you every time an app requests information from you (location, push notifications, soon contact info, etc).

"then"? You clearly know Apple already warns you about those things, so why are you saying the government will FORCE Apple to do that? ("it starts with" -> "then" implies a logical progression).

Quote:

Remember how annoying Windows Vista's UAC feature was, and how we got so sick of clicking that "allow" button that we either just clicked it blindly without reading what it was doing, or turning off the feature all together. We gained zero benefit to that feature, and all it did was annoy us.

UAC succeeded it what it was supposed to do (it was a kick in the nads for developers that thought they were writing applications for Windows 95, that thought Program Files was meant for storing user data).

Quote:

Same thing is starting to happen with apps. Privacy is important, but our obsession over it is going to drive us crazy and ultimately hurt us. Developers and users both start missing out on opportunities for innovation if they're hobbled by our constant obsession with privacy, and unless we strike a balance, no one will be happy.

You're kind of conflicting with yourself. You say no one will read it, but then you say it'll hurt "innovation". Developers should say "hey, this is the data we collect, and this is basically what we do with it". I'm sad that it's having to happen because of the demands of a government, and not the industry (read: Apple & Google) self regulating, but disclosing this sort of information is a good thing.

Most people won't read it, but some people will. If the app's privacy policy says they're doing nasty stuff, it will be noticed much faster and people will make a fuss about it much sooner than someone watching packet logs will have to currently (the packet logs will still be necessary to detect lies).

Interesting. As an Android app developer who's getting ready to release my first app to the market, I have to now wonder how to write this policy. I don't collect any real information about the user, but I was planning on using Flurry analytics just to see how many active users I have AND to get reports on any thrown exceptions (great way to see if there are any bugs and to squash them before everyone starts giving you negative feedback). The only permissions my app requires is network permissions as it's a network app, so it doesn't even have access to any personal info or contacts, etc. It's a free app without ads or nothing, I just wanna release something to the market with my name on it. I'm guessing I can just make a little notice that I don't collect any personal data and that I use Flurry analytics. I hope that will suffice.

I don't know about you guys, but I could care less what other people do with data they collect on me, as long as they don't use it to do something illegal (or sell it to someone who does something illegal with it). I would be OK with getting rid of privacy policies altogether and replace them with a page that declares that "We will not do stupid things."

So you couldn't care less about a privacy policy, as long as they have some sort of policy for how they use your private data?

So you couldn't care less about a privacy policy, as long as they have some sort of policy for how they use your private data?

I think they just prefer it if the customer doesn't know what the companies privacy policy is. After all what you don't know can't hurt you and it also allows the company more business flexibility in amending their internal policy since no one else knows what it is.

Interesting. As an Android app developer who's getting ready to release my first app to the market, I have to now wonder how to write this policy. I don't collect any real information about the user, but I was planning on using Flurry analytics just to see how many active users I have AND to get reports on any thrown exceptions (great way to see if there are any bugs and to squash them before everyone starts giving you negative feedback). The only permissions my app requires is network permissions as it's a network app, so it doesn't even have access to any personal info or contacts, etc. It's a free app without ads or nothing, I just wanna release something to the market with my name on it. I'm guessing I can just make a little notice that I don't collect any personal data and that I use Flurry analytics. I hope that will suffice.

Doesn't sound like personal information. This does raise an interesting question on how this will be enforce though. Will you need to provide a link to a Privacy Policy if your app requests certain permissions e.g. address book access? Will humans be checking it? Almost certainly not in Android's case but even in Apple's case they seem to be very cavalier in what they let through - I mean seriously a fake Pokemon app. Really Apple?

While I agree that developers should disclose what information they collect and what they do with it, am I the only one worried about any sort of government involvement in app development? It starts with a privacy policy, then it moves on to Apple alerting you every time an app requests information from you (location, push notifications, soon contact info, etc). Remember how annoying Windows Vista's UAC feature was, and how we got so sick of clicking that "allow" button that we either just clicked it blindly without reading what it was doing, or turning off the feature all together. We gained zero benefit to that feature, and all it did was annoy us.

Same thing is starting to happen with apps. Privacy is important, but our obsession over it is going to drive us crazy and ultimately hurt us. Developers and users both start missing out on opportunities for innovation if they're hobbled by our constant obsession with privacy, and unless we strike a balance, no one will be happy.

I'm genuinely curious now. Where did the government mandate UAC? Also well done for discovering the age old security (inconvenience) vs insecurity (convenience) debate.

Also lol at your claim to have an obsession with privacy. The U.S.has probably some of the most pathetic policies on protecting their citizens privacy in the developed world. Our Data Protection Act may have some issues (mainly not enforced enough and penalties aren't strong enough) but its decades ahead of what you guys have...

I don't know about you guys, but I could care less what other people do with data they collect on me, as long as they don't use it to do something illegal (or sell it to someone who does something illegal with it). I would be OK with getting rid of privacy policies altogether and replace them with a page that declares that "We will not do stupid things."

...except that, what you *might* want to care about (or what *I* care about, anyway) is the PII of those in your Address Book/Contacts list. You may be exposing *their* personal information without *their* (or perhaps even *your*) express permission. If *I'm* in your Address Book, I may not be eager to have my email address, phone number, street address, and other information exposed to *your* apps! Would you please have the decency and courtesy to ask?

I just wanted to point out that Google encouraging Android developers to have a privacy policy (and follow all sorts of user data best practices) is nothing new. The following was posted to the Android Developers Blog in August 2010, and is worth a read: http://android-developers.blogspot.com/ ... droid.html

What I'm curious about with this story is if they're intending to now enforce this somehow, and if yes then in what way. Someone above suggested forcing developers to link a privacy policy if they request certain permissions, which I suppose could work, though I feel like it wouldn't be very effective. I just can't see Google ever emulating Apple with regards to forcing apps to be manually checked and approved before being submitted to the Market.

I like the German/EU style personal info law. Basically the law is you collect and store the info and then lose it you pay a big fine. So lots of companies don't collect personal info unless they need it right then and don't keep it on file unless they must. I wish it was like that in the USA. My wish the fine was $200/persons data lost and the fine is 100x if the company does not promptly report any data loss to the police within 72 hours of finding out about the loss. Also the CEO pays from their salary .001% of the fine after 72 hours if not reported. That should keep companies from keeping unneeded data on their servers.